Just a few short years ago, dynamic file analysis (a.k.a. the sandbox) was all the rage. Detonating a file in a “safe” sandbox environment to learn “who it would call and what it would do” and use that critical intelligence to upgrade defenses, was deemed the latest must have technology in cyber defense.
While there is no question that dynamic file analysis is a practical and useful tool, as time went on, the limitations of the technology surfaced. It’s understandable that bad actors have gone to school on sandboxes to understand exactly how sandboxes work, what the weaknesses are and how to exploit those weaknesses.
Challenges
Let’s take a step back and look at just some of the challenges security professionals are faced with when relying heavily on sandboxes, then explain how complex binary analysis can help.
1. Too many files to keep up with
Enterprises are inundated with a broad range of files (more on that later), so totally depending on a sandbox environment, which can be time-consuming and resource-intensive, requires heavy investment in compute power and financial resources. Even then, sandboxes can easily be overwhelmed, e.g. DoS wave attacks for one.
2. Sandboxes can be easily evaded
One of the biggest limitations is that the bad guys know most organizations utilize this technology and have found ways to fool it or move around it. Techniques like; building malware that detects when it is in a sandbox, and upon detonation, does not execute the code related to the attack, or using uncommon extensions or browser plugin exploits, environments likely not present in the sandbox.
3. Limited coverage of files that a sandbox can analyze
Typically sandboxes are limited to just a few file types and those that qualify likely do not include emerging attacks. Some usual examples that sandboxes do run are Win Exe, some PDF, FLASH (if with HTML), ZIP/RAR archives, and macros. That leaves a lot of files and objects not covered - not to mention new evasion techniques and emerging file format attacks that are generated every day.
Solutions
So it’s pretty clear that sandboxes have limitations, but that is not where this story ends. ReversingLabs' next-generation binary analysis is your secret weapon to defend against advanced malware threats. Here are a few reasons why:
1. Effortlessly handle high volumes of files, including large, complex file structures
ReversingLabs' AI-driven, binary analysis uncovers threats embedded at the deepest levels within files, without executing the file. Our proprietary, high-speed analysis engine fully deconstructs binaries in mere seconds, so high volumes of files can be expeditiously processed and classified.
2. Evasion, what evasion?
Since it’s pre-execution, there’s no getting around binary-level analysis. Sandbox evasion becomes a moot point. Our proprietary analysis engine removes all packing and obfuscation from binary files to expose all internal objects and their metadata. There's nowhere for malware to hide. The metadata provides critical information, not available from other tools, for determining the intent and capabilities of a file.
3. We’ve got you covered
With 4800 file formats supported, ReversingLabs enables organizations to expand analysis beyond executable content to bridge critical sandbox detection gaps and gain visibility to all unknown malware. Here’s a short list of what sandboxes typically do not cover:
- Flash (all)
- Windows DLL / drivers
- Documents
- Non-traditional archives
- Firmware
- Scripts
- PE packers
- Installers
- Android, iOS
- Linux, MacOS
- Very large files
- 4000+ format families
What ReversingLabs' advanced malware analysis enables security teams to do
Security teams gain earlier detection and identification of threats. And, by eliminating large numbers of good files early, false positives are reduced and the efficiency of the investigation process is significantly improved. This complements the use of dynamic analysis as only “files of interest” are sent to the sandbox, greatly improving efficiency. The collective metadata from both offers amazingly rich context.
Internal malware investigation teams greatly accelerate their analysis processes and have a better starting point. The same fast analysis and deep contextual understanding of the malware, means an investigation team gains quick understanding of properties of the malware and can create “custom signatures and rules” to proactively search for that malware internally while upgrading detection capabilities across endpoints and networks.
Malware intelligence collected by the investigations teams and linked with the latest global threat intelligence provide excellent starting points for threat hunters. Locally stored malware context and advanced searching capabilities enable hunters to pivot across large sample sets and push out multiple hunting queries across the network, SIEM or data lakes.
Learn more about RL Malware Analysis and Threat Hunting.
